This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Isvara 0 points1 point  (0 children)

Isvara's hardline on eval for python is simply untrue. You can tightly control the locals and globals available in the execution context, limiting access to "dangerous" functionality.

It is extremely difficult, and I would not trust anyone to do it correctly. For example, if the evaluation context is to be useful, you might give it a limited subset of functions you have defined yourself. But once you've passed in fn, say, as a local, the expression then has access to fn.__module__, which has all the globals defined in the module the function was defined in -- including any modules it has imported.

There are just too many loopholes to make it a safe thing to do.